Introduction

The phrase cyber terror appeared for the first time in the mid-eighties. According to several sources, Barry C. Collin, a senior person research fellow of the Institute for Security and Intelligence in California, defined cyber terror at that time as “the convergence of cybernetics and terrorism”—an elegant and simple definition. That definition, however, was not specific enough to make a clear distinction with terms like cybercrime, cyber activism (hacktivism), and cyber extremism.

The first glimpses of the cyber revolution, the next wave after the industrial revolution, were much debated in the eighties (e.g., Toffler, 1980). It was therefore no surprise that the first discussions were raised in that decade about cyber terror and terrorism in the envisioned new world. In the nineties, the debate about the cyber revolution widened to phenomenon such as information warfare and information superiority. That reinforced the idea again that terrorists could enter cyberspace and use that as a domain for terroristic actions. This idea was reflected by the National Research Council (1991): “Tomorrow’s terrorist may be able to do more damage with a keyboard than with a bomb.” As a result, cyber terrorism was added to the list of serious national threats to the United States.

The unexpected outcome of the 1993 battle of Mogadishu (Bowden, 1999) showed the potential of an asymmetric threat with a major political impact, and with the millennium uncertainties, further widened the societal uncertainty about a possible terrorist initiated risk from cyberspace for the public. Since then, the term cyber terror has helped to create dramatic and attention grabbing newspaper headlines. This chapter subsequently asserts that, based on a definition developed from previous definitions, the world has not yet experienced a real cyber terror impacting event.

The Confusion About Cyber Terrorism

Around the millennium, many experts from different disciplines showed interest in the potential of cyber terrorism. For that reason, a wide range of moderate definitions for cyber terrorism were proposed, especially in the period between 1997 and 2001. The reason for the incoherence of the definitions stems from the fact that their origin lay in quite different expert fields such as law enforcement, international studies, anti-terror, information security, and information operations. The popular press even creates more confusion. Below several of these definitions will be discussed to show examples of the confusion. From these definitions we can derive elements for an encompassing definition of cyber terror as stated in the following sections. The definitions also demonstrate that no act of cyber terror has occurred yet.

In 1997, Mark Pollitt of the FBI defined cyber terrorism as:

The emphasis in this definition lies on the what, and whom. The terror-related aspect of fear is lacking as well as the use of threatening with an attack. Combatants are excluded, which reflected FBI’s mandate but did not help to derive the comprehensive definition. In 2004, the FBI (Lourdeau, 2004) redefined cyber terrorism as:

This definition focuses on the criminality of the act, the traditional information and communication technology (ICT) means, the intended impact, and motivation. The definition lacks a wider view on newer ICT, such as those embedded in for instance critical infrastructures, cars, and medical equipment. The impact in the definition is limited only to raising fear and uncertainty whereas terrorism may aim at disrupting the economy, the environment, international relationships, and governmental governance processes as well.

In 2000, the information security expert Professor Dorothy E. Denning defined cyber terrorism as:

This definition has its focus on the possible impact of cyber terrorism. Why terrorists would perform an act of cyber terrorism and the how are not discussed. After 09/11, she redefined cyber terrorism in (Denning, 2001) as:

This definition stems clearly from an information security point of view. Its focus is on the integrity and availability of information. This definition does not cover physical effects as a result of an affected cyber layer. The definition also fails to make a clear distinction with cyber activism (hacktivism).

In 2002, the US Center for Strategic and International Studies defined cyber terrorism as:

This definition is imprecise. For instance, this definition suggests that a critical infrastructure operator who shuts down a (part of) critical infrastructure for technical or safety reasons from his/her operating station could be a cyber terrorist. At the same time, hacktivists trying to impress governmental decision-makers are cyber terrorists as well—and are not included.

When reflecting on press headlines from the last 25 years, it immediately becomes apparent that each new disruption related to our cyber world is labeled by popular press as “cyber terror.” Then with hindsight, the “cyber terror” event is hardly remembered a couple of years later. At most it is regarded as a simple act of cybercrime or activism. In instances where it was a denial-of-service attack, the sustained bandwidth of daily annoying attacks to organizations is often factored higher than the simple cyber surface scratching event which was labeled as a cyber-terror event in the press.

Another source of confusion stems from the use of the term “cyber terror” for all use of cyberspace activities by terrorists and terrorist groups. It is the combination of cyberspace as a possible target and a weapon used by terrorists and terrorist groups of the communication commodity services we all use. Terrorists use cyberspace for their command and control, global information exchange and planning, fundraising and attempts to increase their support, community, propaganda, recruitment, and information operations (Bosch et al., 1999) to influence the public opinion (NCTb, 2009). Some of this use may be considered crime or even cybercrime by national governments, but it will not be considered “terrorism” according to the various national legal systems.

Cyber Terrorism Definition

As discussed in the previous section, large differences are visible between the previous and many more definitions of cyber terrorism. Some of the proposed definitions are restricted by the mandate and thus the confined view of an organization; others concentrate on specific ICT technologies, targets, or motivations of the actors.

What is needed is a definition which clearly defines cyber terrorism from ordinary cybercrime, hacktivism, and even cyber extremism. From the above, it will be clear that elements which need to be part of the definition are:

• The legal context (intent, conspiracy, just the threat or act?)

• Cyberspace being used as a weapon or being a target

• The objective(s) of the malicious act which include a kind of violence with far-reaching psychological effects to the targeted audience

• The intent combined with the long-term goal (e.g., societal or political change; influencing political decision-making) which drives the terrorist or terrorist group.

With respect to cyberspace—systems, networks and information—as a weapon or a target, we can distinguish cyber attacks by cyber terrorists on (or a combination of):

• The integrity of information (e.g., unauthorized deletion, unauthorized changes) causing the loss of trust in ICT and society. Targets could be databases that are critical to society: person records, vehicle registration, property ownerships, and financial records and accounts.

• The confidentiality of information. Large-scale breaches of personal privacy and organizations’ confidential information could create societal disorder, e.g. the publication of the complete health records of HIV-infected persons in a nation could initiate a sequence of harassments and suicides. The response by a government may breach the privacy of citizens and result in the amplification of the intended terrorist objectives.

• The availability of ICT-based services through ICT-means, for example by a long duration denial-of-service attack, an unauthorized disruption of systems and networks, or physical or electromagnetic attack on data centers and critical ICT-system components.

• ICT-based processes which control real-world physical processes, e.g. a nuclear power plant, refinery, vehicles and other forms of transport, health monitoring and control, smart grids and smart cities (see Chapter 3 on New and Emerging Threats).

In order to provide a more precise definition of cyber terrorism based on all elements identified before, we first need to look at the definition of terrorism which shall encompass the cyber terrorism definition. Unfortunately there is no generally agreed international definition of terrorism, see for instance Saul (2005).

UK’s Terrorism Act (UK, 2000) defines terrorism as:

Interestingly this definition includes a cyber aspect as well. The definition contains some weak points, for instance a political party trying to influence the government to reintroduce smoking at offices by cancelling the anti-smoking laws is involved with a serious risk to the health and safety of the public. This definition states that such a party is a terror organization.

In 2010, the Netherlands government changed its terrorism definition to align the definition used by its justice system with the operational definition of its intelligence services. At the same time the Dutch government tried to align with the terrorism definition provided by European Council (2002) and the United Nations. The Dutch working definition of terrorism (NCTb, 2014) is:

However, when comparing the UK’s considered terroristic impact part with elsewhere defined national interests, the UK’s “damage to a property” sounds weak. The Dutch, for example, consider “disruptive economic damage,” “serious negative impacts to the ecological security,” and “a serious change of social and political stability” as elements to be mitigated national risk.

On the basis of preceding considerations, terrorism probably can be better defined as:

From that, we can derive a definition of cyber terrorism as:

Has Cyber Terrorism Ever Occurred?

Using the final definition above, there is only a limited set of actions after the mid-eighties which may have neared a real cyber terror act. A first one was during the Nagorno-Karabakh conflict around 1999. Following unconfirmed reports, hackers modified blood types in patient records in a hospital database causing the risk of people dying through receiving the wrong blood transfusion. A second one may be the 2006–2007 preparations by an Al Qa’ida-related terrorist group which planned to physically target the Telehouse telecommunications centre and internet exchange in the London Docklands area. In August 2006, the potential societal effect of such an attack was demonstrated by a small power disruption at Telehouse. This technical disruption took down tens of thousands websites and hundred thousand customers of Plusnet internet services for a number of hours (Wearden, 2006). The societal effects of a possible long-duration disruption which could have been the result of a successful physical attack can only be guessed but probably would have been minor given the redundancy of systems, networks, backed up information, and services.

All other cyber disruptions that took place were labeled as cyber-terror acts by the news media, were (although for the public and organizations sometimes disturbing and annoying) ICT-disruptions caused by acts of cybercrime or hacktivism, or turned out to be technical in nature.

Conclusions

This chapter discussed the elements which are required to classify an event as a cyber-terroristic act and derives a definition of cyber terror.

Despite the many media headlines, it is asserted that based on the definition shaped above, that no clear act of cyber terrorism has occurred yet. We need to be prepared, however, for acts of cyber terror as the increasing societal critical reliance on ICT will make ICT systems and services as well as embedded ICT an interesting target for future terrorists.